235: Filesystem: How To Avoid Security Vulnerabilities. Part 1.

When it comes to security, it’s better to learn from examples. This episode explains a very important and simple piece of advice. Always test for things that you want instead of things you don’t want. You’ll need to understand the differences between an Ordinal string comparison vs. OrdinalIgnoreCase vs. InvariantCulture when deciding if filenames are what you think they are. Listen to the episode or read the full transcript below. Transcript Failure is a good thing when we learn from it. In fact, if we’re not failing, then we’re not trying new things. And because a lot of programming will be new to us, we can expect to fail a lot. Especially when we’re just getting started with programming. Now a normal failure might mean that your new design doesn’t work the way you expect. But some failures can be taken advantage of to cause something unexpected in your code. Or at least, unexpected to you. For the person taking advantage of the error, the behavior is exactly what an attacker wants. There’s a whole class of attacks that take advantage of the filesystem. These attacks can be caused by mistakes in how your code uses the filesystem. Under normal usage, you might never notice. Until, for example, an attacker sets up a few files with some special names. Let’s say that you need to write some code that uses the filesystem. And you’re worried that somebody could try to misuse your program in ways that should not be allowed. So you put checks in your code to prevent this. You even test it and sure enough, your code catches the problem and stops the misuse. The problem is that you’re still thinking like a regular user making mistakes. You need to be aware of different ways that an attacker can purposefully lead your application to do things you never expected would be possible. This is where it’s good to learn from examples. There’s so many ways that it’s hard to count how your code can be misled and allow some misuse to proceed. You really don’t want to have to learn each of these attacks the hard way. I’ll explain in this series of episodes some common mistakes that you can learn from. This episode will focus on filesystem name attacks. This is not a full security episode. There’s just too much for a single episode even after limiting the discussion to filesystems. Okay, the first attack you can avoid with some simple advice. Always test for things that you want instead of things you don’t want. Think of it like this. You have a path leading to your door that you want to make sure people walk on. And if somebody walks on the grass instead of the path, then you won’t answer the door. Seems simple enough right? My advice in this situation is to watch the path. But for some reason we’re wired to want to watch the grass instead. We see somebody walking on the grass and then the doorbell rings and we refuse to answer the door. That’s the normal behavior we build into our applications. And it works fine until a thief sneaks around the side of the house and under the window that we’re using to watch the grass. We hear the doorbell and think it must be okay because we didn’t see anybody walking on the grass. The really interesting part of this example though is that sometimes we still don’t understand and find more ways to avoid watching the path. Maybe we think that our grass watching abilities are limited so we make the window bigger and put up lights on the grass so nobody can sneak past. And it works. Until a thief climbs a tree, jumps onto the roof, and then drops down in front of the door and rings the bell again. The point is, anytime you have things you want to check for, make sure to check for them directly. Don’t try to eliminate all the things you don’t want to happen. Focus on the things you do want to happen. If you expect a file to have a certain name, then check the name